Linux Suspiscious Process

These detections identify suspicious activity from process start records collected by the Insight Agent from Linux endpoints.

Attacker - Sudo Privilege Escalation Attempt

Description

Looks for the attempted exploitation of a vulnerability in sudo that allows for standard users to become root by specifying a user id of -1 or 4294967295

Recommendation

Review the command in question passed to sudo to see if it was executed successfully under the context of the root user.

MITRE ATT&CK Techniques

  • Exploitation for Privilege Escalation - T1068
Attacker Technique - Apache Struts/Tomcat Spawns Uname

Description

This detection identifies ‘uname’ being spawned by ‘java’ running an Apache Tomcat web service. This technique is used by malicious actors to validate that an Apache Struts Tomcat server was successfully exploited.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Exploit Public-Facing Application - T1190
Attacker Technique - Linux Reverse Shell

Description

This detection identifies simple techniques to create a reverse shell in Linux using built-in utilities. Malicious actors use this technique to deliver a shell from the compromised host back to their system so that additional system commands can be executed, post compromise

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Command and Scripting Interpreter - T1059
Attacker Technique - Perl Use Socket Reverse Shell

Description

This detection identifies simple ‘perl’ based reverse shells using the ‘Socket’ module being passed to the command line. Malicious actors use this technique post compromise to deliver a shell from the compromised host back to their system so that additional system commands can be executed.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Non-Application Layer Protocol - T1095
Attacker Technique - Shell Redirection To or From /dev/tcp

Description

This detection identifies redirection of a shell to a remote host through the device ‘/dev/tcp’. Malicious actors use this technique to deliver a shell from a compromised host back to their system so additional commands can be executed, post compromise.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Non-Application Layer Protocol - T1095
Attacker Technique - Unshadow

Description

This detection identifies the use of the 'unshadow' utility being executed. This technique is used by malicious actors to retrieve the contents of the '/etc/shadow' and '/etc/password' files while preparing them for password cracking utilities.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • OS Credential Dumping - T1003
  • /etc/passwd and /etc/shadow - T1003.008
Attacker Tools - Cobalt Strike Client Application - Linux

Description

This indicator is designed to detect the usage of the penetration testing/post-exploitation framework Cobalt Strike. This indicator is specific to Linux operating systems.

Recommendation

Investigate the process events to identify if this activity is authorized and expected within the client network.

Cryptocurrency Miner - Identify Writable Directories

Description

This detection identifies the 'touch' command being used to attempt to write a file, called 'writable', to various directories. This has been observed in cryptocurrency mining malware that is attempting to find writable directories.

Recommendation

Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - Kworker

Description

This detection identifies Kworker being used, which is a customized version of the Linux bitcoin mining software, Minerd. Malicious actors drop KWorker on systems via other malware, such as Mirai, post compromise

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - MinerGate

Description

This detection identifies the command line including the string ‘Minergate’. ‘Minergate’ is a command line BitCoin miner often deployed by malicious actors.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - Mining Pool URL in Command Line

Description

Mining pools are a way for multiple systems running cryptomining software to pool their resources over the network. Cryptocurrency mining malware will often use mining pools to increase efficiency, as it allows all of the attacker's compromised systems to work together.

Recommendation

Identify the miner process on the system. This can often be done easily by doing a process listing and identifying the process using the most CPU resources.

Cryptocurrency Miner - Process Kills Other Mining Processes

Description

This detection identifies the ‘kill’ command being used in an attempt to stop the processes of cryptocurrency miners. Cryptocurrency miners will attempt to identify any other miners running on a system to ensure that it will not be competing for resources.

Recommendation

Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - Watchbog

Description

Watchbog is a cryptocurrency mining trojan for Linux. It downloads payloads from Pastebin, and spreads laterally by exploiting Jenkins and Redis server vulnerabilities.

Recommendation

Determine whether this is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - XMRig

Description

This detection identifies command line arguments consistent with XMRig. XMRig is a command line Monero miner often deployed by malicious actors.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Defense Evasion - HISTCONTROL=ignorespace

Description

This detection identifies the environment variable HISTCONTROL=ignorespace being added on Linux systems. This will cause any commands starting with a space to not be logged in the history file.

Recommendation

Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Clear Command History - T1070.003
Linux - Execution from Hidden Temp Directory

Description

Linux-based malware, particularly malware with a cryptocurrency mining component, is often observed using hidden directories inside the /tmp directory. These directories will start with a . i.e. /tmp/.malware

Recommendation

Identify the process launching from the hidden directory and attempt to determine whether it is expected behavior. If it is a cryptocurrency miner, it will likely cause CPU usage to spike to 100%, which is an easy way to identify it.

MITRE ATT&CK Techniques

  • Hidden Files and Directories - T1564.001
Linux - Execution of Shared Object from Hidden Temp Directory

Description

Linux-based malware, particularly malware with a cryptocurrency mining component, is often observed execution Shared Object (.so) files from hidden directories inside the /tmp directory. Their file paths will resemble /tmp/.hidden/malware.so

Recommendation

Identify the process loading the shared object file and attempt to determine whether it is expected behavior. If it is a cryptocurrency miner, it will likely cause CPU usage to spike to 100%, which is an easy way to identify it.

MITRE ATT&CK Techniques

  • Hidden Files and Directories - T1564.001
Linux Webserver Executing Suspicious Commands

Description

Identifies suspicious commands executed by processes belonging to commonly used webserver software, such as Apache or Nginx. Commands executed by a webserver process can be indicative of a web shell or otherwise compromised webserver.

Recommendation

Determine whether the commands being executed are part of the expected operation of the server. If not, investigate any files, domains, or IP addresses that the executed commands may have interacted with.

MITRE ATT&CK Techniques

  • Web Shell - T1505.003
Reconnaissance - Multiple SSH Discovery Commands

Description

This detection identifies multiple commands being run that attempt to discover information about SSH activity on the system. These commands include searching for id_rsa and known_hosts files, searching the contents of the bash_history file, searching the contents of the .ssh/config file, and searching for .pem certificates.

Recommendation

Determine whether this is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • SSH - T1021.004
  • SSH Authorized Keys - T1098.004
Suspicious Command - Remove and Recreate SSH Config Folder

Description

This detection identifies the ~/.ssh directory being removed and recreated. Malware has been observed doing this in order to overwrite any existing SSH configurations with its own.

Recommendation

Investigate the new files in the ~/.ssh directory. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • SSH - T1021.004
  • SSH Authorized Keys - T1098.004
Suspicious Command - SSH Key Echoed to Authorized Keys File

Description

This detection ientifies SSH keys being echoed via the command line into the ~/.ssh/authorized_keys file. Malware has been observed doing this in order to allow SSH access to the operator.

Recommendation

Investigate the key that was added. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • SSH - T1021.004
  • SSH Authorized Keys - T1098.004
Suspicious Process - Apache Launches Wget or Curl

Description

This detection identifies an Apache process launching Curl or Wget. This may be done by a malicious actor who has compromised a web server in order to download additional malware.

Recommendation

Investigate the URL that is being contacted and whether or not it has a legitimate business use. If this activity is not benign or expected, consider rebuilding the host from a known, good source.

MITRE ATT&CK Techniques

  • Web Shell - T1505.003
Suspicious Process - Common Compromised Linux Webserver Commands

Description

This detection identifies commands that Rapid7 has observed being run on compromised Linux webservers, especially those that have been compromised via Oracle Weblogic vulnerabilities CVE-2020-14882 and CVE-2020-14883, as well as Atlassian Confluence vulnerability CVE-2021-26084.

Recommendation

Investigate the processes spawned. Some commands may be encoded in hexadecimal or base64 - these should be decoded so that the intent can be determined. If this activity is not benign or expected, consider rebuilding the host from a known, good source and updating to the latest version of the server software.

MITRE ATT&CK Techniques

  • Exploit Public-Facing Application - T1190
Suspicious Process - Confluence Java App Launching Processes

Description

This detection identifies processes being launched by the Atlassian Confluence server app. Malicious actors have been observed exploiting CVE-2021-26084, a vulnerability for Confluence disclosed in August 2021 which can allow execution of arbitrary processes. Confluence does sometimes spawn processes legitimately, but special attention should be paid to common reconnaissance commands like whoami or ifconfig, as well as any commands that indicate additional files being downloaded, such as curl or wget.

Recommendation

Investigate the processes spawned by Confluence. Some commands may be encoded in hexadecimal or base64 - these should be decoded so that the intent can be determined. If this activity is not benign or expected, consider rebuilding the host from a known, good source and updating to the latest version of Confluence.

Additional information can be found at Atlassian's site: https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

MITRE ATT&CK Techniques

  • Exploit Public-Facing Application - T1190
Suspicious Process - Curl Downloading From Cloudfront URL

Description

This detection identifies the 'curl' command being used to download data from a CloudFront URL. Malicious actors have been observed using 'curl' to download second stage payloads from CloudFront.

Recommendation

Investigate the contents of the CloudFront URL. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Service - T1102
  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Downloading Shell Script

Description

This detection identifies Curl being used to download a shell script. The Curl utility is often used by malicious actors to download additional payloads on compromised Linux systems.

Recommendation

Investigate the URL and the file that was pulled from it. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Bash

Description

This detection identifies output from the Curl utility being piped to bash or another shell process. Malicious actors may use Curl to download additional malware, and pipe that malware to bash for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the shell process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Unix Shell - T1059.004
  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Perl

Description

This detection identifies output from the Curl utility being piped to Perl. Malicious actors may use Curl to download additional malware, and pipe that malware to Perl for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Perl process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Python

Description

This detection identifies output from the Curl utility being piped to Python. Malicious actors may use Curl to download additional malware, and pipe that malware to Python for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Python process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Python - T1059.006
  • Ingress Tool Transfer - T1105
Suspicious Process - Execution From Hidden Directory In tmp

Description

Looks for the execution of processes from within a hidden file or directory within /tmp

Recommendation

Review the binary being executed.

MITRE ATT&CK Techniques

  • Hidden Files and Directories - T1564.001
Suspicious Process - FakeInit

Description

This detection identifies the use of the tool fakeinit, which is a component of takeover.sh. takeover.sh is a tool that allows a running system to have the Linux operating system reinstalled while running.

Recommendation

Review the activity on the host and verify whether this is authorized. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

Suspicious Process - Fetch Command to External IP Address

Description

This detection identifies the fetch command being used to communicate with an external IP address. Malicious actors use the fetch command to download second stage payloads during Linux compromises.

Recommendation

Investigate the IP address that is being contacted and the contents of any files named ‘fetch.txt’, as this is the default file that the fetch command will write to. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Hidden Process Executes from Home Directory

Description

Looks for processes with hidden file names being executed from a users home directory. This technique is often employed by attackers post compromise to try and hide coinminers or other potentially unwanted programs.

Recommendation

Review the file in question to see if it is malicious in nature.

Suspicious Process - Linux Adding User using dbus-send CreateUser

Description

This detection identifies user creation attempt using linux dbus-send command. This Linux vulnerability can be exploited to gain root access via privilege escalation with polkit. This can be used by malicious actors to add root user, thus gaining root access level to the system.

Recommendation

Examine that this activity is benign or expected. If this is not expected, consider rebuilding the host from a known, good source and having the user change their password. Also check for any new root user that may have been added with successful exploitation of this vulnerability.

Suspicious Process - Linux Setting User Password using dbus-send SetPassword

Description

This detection identifies SetPassword attempt using linux dbus-send command. This Linux vulnerability can be exploited to gain root access via privilege escalation with polkit. This can be used by malicious actors to add root user and set password, thus gaining root access level to the system.

Recommendation

Examine that this activity is benign or expected. If this is not expected, consider rebuilding the host from a known, good source and having the user change their password. Also check for any new root user that may have been added with successful exploitation of this vulnerability.

Suspicious Process - Linux System OS Discovery Command

Description

This detection identifies an attempt to use cat to output the contents of files in the /etc directory that may contain OS information. Malicious actors may do this to know what OS version to target. This command has been observed in use by the RotaJakiro malware.

Recommendation

Determine whether this is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Software Discovery - T1518
Suspicious Process - lwp-download to External IP Address

Description

This detection identifies LWP-Download, which is a Linux utility for downloading files from the internet. Malicious actors can use LWP-download to download second stage payloads during Linux compromises.

Recommendation

Examine the command run and the URL it is contacting. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Possible Reverse Shell

Description

This detection identifies a number of reverse shells that can be created using mostly built-in Linux functions. Attackers may use these reverse shells for C2 purposes.

Recommendation

Examine the process that spawned the shell, and anything that the shell process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Unix Shell - T1059.004
Suspicious Process - WGet Output Piped to Bash

Description

This detection identifies output from the WGet utility being piped to bash or another shell process. Malicious actors may use WGet to download additional malware, and pipe that malware to bash for execution.

Recommendation

Investigate the URL that was downloaded from.Examine any additional processes spawned by the bash process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Wget Output Piped to Perl

Description

This detection identifies output from the WGet utility being piped to Perl. Malicious actors may use WGet to download additional malware, and pipe that malware to Perl for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Perl process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - WGet Output Piped to Python

Description

This detection identifies output from the WGet utility being piped to Python. Malicious actors may use WGet to download additional malware, and pipe that malware to Python for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Python process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Wget to External IP Address

Description

Identifies the wget utility being used to download files from an external IP address. Wget is often used by attackers on Linux-based systems to deploy additional tools after establishing a foothold on a system.

Recommendation

Determine the nature of the IP address by checking whois and dns records. If no obvious reason for downloading from that IP address exists, attempt to acquire and analyze the file that was downloaded from it.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105